Search This Blog

Encrypting stored passwords in spring web application

We take security very seriously and have taken steps to harden our services so if some one has ssh access to the box he wont be able to read the files but the webapp has to be able to read the spring config which has passwords to database so we need to protect it from any file download vulnerability.

So the plan was to encrypt passwords stored in spring files and decrypt it at runtime. As we had to decrypt the passwords back this has to be a symmetric encryption but with salt. After doing some research I found jasypt library that would be able to do this. The steps I followed were:

1) move all passwords to a separate file called as XXX_passwords.properties
2)changed spring xml to use property placeholders like ${mysql.user.password}.
3) added spring beans to load the password and decrypt them using the ENV variable ENCRYPTION_PASSWORD and added two jars to class path jasypt-1.9.1.jar and jasypt-spring31-1.9.1.jar

I have a thumbnail generator that launches multiple processes and the correct way to shut it down is to send kill -HUP to the parent process. To automate I had to write a pid file from python, it was a piece of cake
def writePidFile():
pid = str(os.getpid())
f = open('thumbnail_rabbit_consumer.pid', 'w')
f.write(pid)
f.close()

About Me

I like writing good code and improve myself every day by learning new things. I like working for startups as they give you tons of challenges than working for a big company, not sure if you guys feel it but simple programming quirks give me tons of joy. This blog is about the things that I worked on and found worth sharing with fellow programmers who are googling for solutions like me.
This weblog does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my opinion.